But what if that simple search just opened the door to a cyberattack?

That’s exactly what happened here. A user thought they were downloading a harmless PDF editor.

Instead, they unknowingly installed malware, and just like that, attackers had remote access to their machine.

This is called malvertising (malware, advertising).

What is malvertising?

Malvertising is a technique used by cybercriminals to embed malicious content, such as code or programs, within online advertisements. These ads often appear on well-known websites, making them seem trustworthy. Once a user interacts with the ad, it can trigger the download of malware, spyware, or ransomware without their knowledge.

Let’s break it down attack and how you can prevent malvertising:

Step 1: The setup – A malicious Google ad

Cybercriminals don’t need to send phishing emails anymore, they just buy ads on Google and wait for you to come to them.

That’s what happened in this case.

1. The user searched for “PDF editor”
2. Clicked on a malvertising link
3. Downloaded an EXE file posing as a legit PDF tool
4. Ran the installer, unknowingly executing a trojanized program

At first, everything looked fine. No red flags. No warnings. Just a seemingly normal PDF editor. But behind the scenes? The malware had already made itself at home.

Step 2: The silent infection – What the malware did

Once executed, the EXE did exactly what the attackers designed it to do:

1. Created a scheduled task that launched the malware on every startup
2. Ran in hidden mode, so the user never noticed it running
3. Maintained persistence, surviving reboots
4. Established a backdoor, giving attackers remote access

Because the malware didn’t require admin privileges to install, even restricted users were vulnerable. It slipped past basic security measures without a hitch.

Traditional antiviruses can’t catch these types of attacks. Why? Because AV relies on known threats, and this EXE had never been flagged before.

Step 3: The attack meets a 24/7 SOC

This is where things took a turn…for the attackers.

When this file executed, it triggered a behavioural detection in our MXDR (Managed Extended Detection & Response) platform. Unlike traditional antivirus, MXDR looks at behaviour, not just known malware signatures, and something about this EXE didn’t add up.

How fast did we shut it down?

0 min → Indicators of Compromise (IOCs) are automatically analysed, enriched, and triaged using Threat Intelligence sources like Recorded Future
5 min → Identified the EXE launching command prompt activity
3 min → Traced the infection back to a malvertising download
10 sec → Isolated the machine, cutting off attacker access instantly

Total time to neutralise? Less than 10 minutes.

If this attack had gone unnoticed, it could have escalated quickly spreading across the network, stealing credentials, or deploying ransomware.

But our 24/7 SOC was on it, stopping the attack before it could do real damage.

Why this attack matters (and why you should care)

Attacks like this aren’t rare, they’re the new norm. Cybercriminals don’t rely on hacking in anymore. They’re using SEO poisoning, Google Ads, and social engineering to let users download the malware themselves.

And if you’re only relying on antivirus or don’t have a dedicated SOC team, these threats will slip through.

Here’s how you can prevent malvertising attacks:

1. Be cautious with Google Ads: malvertising is on the rise.
2. Monitor scheduled tasks: unexpected ones could be a red flag.
3. Restrict software installation permissions to prevent unauthorised installs.
4. Deploy MDR or MXDR (not just antivirus!) to catch behavioural threats.

But most importantly? You need a team that can catch and stop these attacks before they escalate.

Real-world examples of malvertising

This isn’t just a one-off incident. 1 in every 100 ads comes with malicious content . Here are some recent examples:

• January 2025 – Cybercriminals used fake Google ads mimicking the Homebrew website to target Mac users. Clicking the ad led to an infostealer malware that harvested credentials, browser data, and even cryptocurrency wallets. (Bleeping Computer)
• December 2024 – A large-scale malvertising campaign spread the Lumma Stealer malware through fake CAPTCHA verification pages. Users were tricked into running PowerShell commands, unknowingly installing malware. (Bleeping Computer)

These attacks prove that traditional antivirus alone isn’t enough.

Attackers are changing up their tactics, and businesses need real-time detection, behavioural analysis, and round-the-clock monitoring to ensure they’re preventing malvertising attacks.

Frequently Asked Questions

Stay Ahead of Cyber Threats with 24/7 Managed XDR

Don’t wait until an attack happens, stop threats in real time with proactive monitoring, behavioural detection, and expert SOC analysts. Learn more about CloudGuard Managed XDR here.

You’ve probably found so many different services and acronyms that it’s starting to feel like an impossible task.

That’s why we’ve decided to break down two options to help you narrow down the list. This will be a comparison between Managed SOC (Security Operations Centre) and Managed XDR (eXtended Detection and Response).

Hopefully this will guide you in finding the right solution to match your cybersecurity strategy and business objectives.

What are the options?

Managed SOC or SOC as a Service (SOCaaS) offers a cloud-based subscription model for managed threat detection and response, providing round-the-clock monitoring, analysis and prevention of cyber threats across diverse attack surfaces.

On the other hand, Managed XDR integrates Managed SIEM (Security Information and Event Management) and SOC capabilities, using the latest advances in AI and automation to make threat detection, analyse and response faster than humanly possible.

Now we’ll take a look at each approach in a bit more detail, exploring their features, benefits, and potential challenges.

Managed SOC explained

Managed SOC services come in various forms.

You could either outsource your security operations to Managed Security Services Providers (MSSPs) operating in the cloud or opt for Managed Detection and Response (MDR) services that combine automated processes with direct human involvement.

These services aim to monitor your threat landscape, including IT networks, devices, applications, endpoints and data. This is for both known and evolving vulnerabilities, threats and risks.

One of the main reasons organisations turn to Managed SOC solutions is to remove the burden on internal security teams and gain access to expert security capabilities that may be lacking in-house.

According to research, a significant percentage of organisations believe that managed service providers can provide better security operations and strengthen their existing SOC teams.

Additionally, managed SOC services offer continuous monitoring, faster detection and response times + can help reduce alert fatigue.

Despite these benefits, challenges exist when introducing managed SOC services.

These challenges include the lack of visibility and context, increased complexity of investigations, integration issues and the inability to collect, process and contextualise threat intelligence data effectively.

Onboarding with a managed SOC provider can be time-consuming, and sharing critical data with a third-party provider raises concerns about data security and privacy.

Pros of Managed SOC:

• Removes burden on internal security teams
• Access to expert security capabilities
• Continuous monitoring
• Faster detection and response times
• Helps reduce alert fatigue

Cons of Managed SOC:

• Lack of visibility and context
• Increased complexity of investigations
• Integration issues
• Inability to collect, process, and contextualise threat intelligence data effectively
• Time-consuming onboarding process
• Data security and privacy concerns when sharing critical data with a third-party provider

Managed XDR explained

Managed XDR is the one of the newer cybersecurity services available today.

It uses advanced technologies such as AI and security automation to streamline threat detection and response capabilities.

By combining Managed SIEM with Managed SOC functionalities, Managed XDR solutions offers a fresh approach to cybersecurity – enabling proactive threat hunting, faster response times and enhanced coverage.

The key advantage of Managed XDR lies in its AI and automation abilities coupled with human expertise.

By analysing vast amounts of data and identifying patterns indicative of malicious activity, Managed XDR solutions can reduce dwell time, minimise false positives and improve overall security posture.

Managed XDR can also help your organisation to stay ahead of evolving threats by proactively identifying vulnerabilities and conducting thorough investigations into potential security incidents.

Managed XDR solutions offer seamless scalability and agility, allowing your organisation to adapt to changing threat landscapes and compliance requirements with ease. By outsourcing security operations to Managed XDR providers, you can access expert security expertise and technologies without the need for substantial investments in internal resources.

Alert fatigue, talent gaps and high operational costs can be eliminated with Managed XDR.

Managed XDR is not without its challenges.

Onboarding with a Managed XDR provider may require time and resources and organisations must be willing trust the capabilities of a third-party provider. You will have to check what happens to your data as storing data externally raises concerns about data security and privacy.

You’ll need to consider the risks and benefits of outsourcing security operations to Managed XDR providers.

Pros of Managed XDR

• AI and automation capabilities coupled with human expertise
• Reduced dwell time and minimised false positives
• Improved overall security posture
• Proactive identification of vulnerabilities
• Seamless scalability and agility
• Frees up your internal resources to focus on strategic tasks and objectives
• Access to expert security expertise and technologies without substantial investments

Cons of Managed XDR

• Time and resource-intensive onboarding process
• Trusting capabilities of a third-party provider
• Data security and privacy concerns when storing data externally
• Need to carefully consider risks and benefits of outsourcing security operations

Comparison table

CloudGuard PROTECT Managed XDR

Allow us a moment to quickly plug CloudGuard’s PROTECT Managed XDR service.

We centre everything around Microsoft Sentinel SIEM. Here, we unify all of your security logs (including but not limited to on-prem and cloud infrastructure, devices, users, email, applications and operational technology) using our extensive library of out-of-the-box and custom data connectors.

We then bring our knowledge of automation and AI to this Managed SIEM solution to provide faster threat detection, analysis and response times.

We automatically ingest threat intelligence data into every alert to enrich our understanding of threats and incidents.

Where we can’t fully solve incidents through AI and automation, our SOC Analysts (Managed SOC) are ready to provide the in-depth knowledge and critical thinking that only humans can provide.

The best part is that all of this happens within your Microsoft tenant. We’ll either deploy or optimise your Sentinel instance and keep everything in your cloud.

Wrapping up Managed SOC vs Managed XDR

Both Managed SOC and Managed XDR offer credible solutions if you’re looking to improve your organisation’s cybersecurity posture.

While Managed SOC provides comprehensive threat detection and response capabilities, Managed XDR represents a greater step forward by using advanced technologies to reduce drastically reduce threat detection and response times.

Ultimately, the choice between Managed SOC and Managed XDR depends on yours needs and objectives. If you haven’t created a brief detailing your requirements and preferred outcomes, that’s probably the best place to start.

If you’re a bit stuck with your brief or your cybersecurity strategy in general, we offer cybersecurity consulting services to get you started, including security posture assessments and CISO advisory services.

By weighing up the features, benefits and potential challenges of Managed SOC and Managed XDR, you can make an informed decisions to protect the invaluable data, assets, finances, reputation and people within your business.

The businesses had a wide variety of cyber solutions, experiences and security maturities. The purpose of this report is to summarise the key aspects respondents provided as guidance to others in considering a new cyber security solution and/or partnership. Many businesses shared similar objectives and goals desired from a cyber MXDR services and the following details learnings and questions to understand in detail as anyone progresses through the buying process and looks to build out their success criteria, and ultimately, move towards a decision for their elected security partner.

*All customers surveyed had a requirement for a fully Managed Detection and Response service*

[Download your copy of the report here]

5 Key Questions for Cybersecurity Vendor Selection:

1. 1. Can you provide an accurate response time commitment from detection & alert through to remediation and action?
   2. Will there be access to the data logs ingested into your service?
   3. Does the responsibility for incident remediation reside with the provider or with the customer?
   4. What level of tuning is included within the service provision and how is this reported on throughout the partnership?
   5. What is the company’s approach and commitment on data export requests on the logs being collected, monitored and transferred?

1. Can you provide an accurate response time commitment from detection & alert through to remediation and action?

Follow-up questions

Does this commitment meet the following conditions:

• Lasts for the duration of the contract
• Based on my current security deployment and relevant integrations within the service, not general statistics

Challenges faced

A repeated concern across the survey audience was the response time of the incumbent, or proposed, vendor over time. Specifically, 62% of respondents indicated that post implementation, the service experience did not meet the sales positioning and commitment.

The respondents were a variety of customers who purchased one of two service categories:

• A supplier for MDR services only based on alerting only to customer
• A supplier providing SOC/SIEM/SOAR services where a customer is providing MDR services and support

In certain cases, it was identified that there was a difference between indicated performance and customer experiences due to endpoint solution parameters or performance.

These differences indicated potential response times of up to 1 hour from detection through to genuine action and/or containment.

The concern was once implemented, this part of the service performance could not be modified or improved. There was the exfiltration, weaponisation or disruption that could be inflicted by nefarious actors while having access to customer environments for up to an hour at a time from the point of intrusion.

Time to Mitigate and/or Time to Respond are key metrics to define with a supplier alongside in advance with contractual commitments.

2. Will there be access to the data logs ingested into your service?

Challenge faced

Some customers highlighted that a common issue uncovered in the purchasing process were differences in ability, or lack of, to access and/or customise SIEM data that the supplier’s SOC are capturing from the customer environment.

A ‘hands-off’ approach is of course a key part of any managed service, but 54% of customers required or contracted to have the information readily available to them on demand.

This issue identified is that access was not supported or permitted coupled with concerns around the standard vendor reporting capabilities. A key consideration for many customers in considering a 3rd party SIEM solution is improving and gaining real time reporting with behavioural user analysis capabilities.

3. Does the responsibility for incident remediation reside with the provider or with the customer?

Challenge faced

Due to varying automation capabilities and endpoint solutions across the vendor market and respondents, many providers will alert customers only and require manual intervention from the customer in order to effectively remediate incidents.

This, in turn, can significantly impact the Mean Time to Respond and Resolve metrics within the associated security partnership and should be defined as an absolute time not just provider time.

Respondents encouraged exploration of common scenario’s for each customer environment to understand in detail the handoffs, customisations, RACI to define roles and responsibilities as well as incident response execution and escalation.

4. What level of tuning is included within the service provision and how is this reported on throughout the partnership?

Challenge faced

The issue here is Alert Fatigue. This was reported as both provider and customer related. A combination of both insufficient tuning to continually reduce false and benign positive incident volumes, and a lack of support from customer success translated to customers continuing to experience higher than expected volumes of standardised alerts.

Consistent performance improvements via tuning and End User Behavioural Analysis are essential to effective detection, response, resolution and service evolution. It is essential to validate the level of tuning, commitment to ongoing improvement and how effectively this is communicated through reporting. Tuning can be rule, policy, controls or activity based.

5. What is the company’s approach and commitment on data export requests on the logs being collected, monitored and transferred?

Challenge faced

Providers have varying policies relating to the export of the data and associated formats collected from customer environments. It is essential that back dated information is archived and can be appropriately exported from the service as it forms a crucial part of running Incident Response in the event of an attack as well as future service transition. When migrating to another platform, or to an internally managed solution.

It is important to gain access to archives and export data for compliance, preservation of priorities, investigations, service continuity and incident histories.

Respondents highlighted that certain providers did not commit to any level of data export during or at contractual completion of MXDR services.

About CloudGuard

CloudGuard is a leading Managed Security Services Provider (MSSP), offering a range of services to protect organisations against evolving cyber threats. With a focus on proactive threat detection, automated response, and responsive support, CloudGuard helps businesses to navigate the complexities of the digital landscape securely.

If you’re looking to change MXDR providers, or would like to learn more about how CloudGuard can help you with these challenges, send us a message here.

Manchester, UK, 09 April 2024 – In the face of escalating cyber threats within the manufacturing sector, Amazon Filters, a prominent UK-based manufacturer of bespoke filtration technology, has strengthened its cybersecurity posture through a strategic partnership with CloudGuard’s Protect Plus MXDR service.

Amidst growing concerns over the effectiveness of traditional security measures, Amazon Filters recognised the need to enhance their cybersecurity posture. Ransomware attacks targeting competitors prompted a comprehensive review of their security strategy, leading them to deploy CloudGuard’s MXDR service.

“The threat landscape is evolving rapidly, and it’s imperative for organisations to adapt,” stated Amazon Filters’ IT Manager. “CloudGuard’s MXDR service has been a game-changer for Amazon Filters. From providing a clear roadmap for cybersecurity improvement to seamlessly integrating with our existing infrastructure, it’s been a transformative experience.”

CloudGuard’s MXDR service, an acronym for Managed eXtended Detection and Response, offers a proactive approach to cybersecurity by unifying security data, harnessing artificial intelligence for detection, and automating threat analysis and remediation processes. By integrating seamlessly with Amazon Filters’ Microsoft-centric infrastructure, the MXDR service ensures real-time visibility into potential threats across their entire estate.

Learn more about cybersecurity automation.

“The deployment of CloudGuard’s MXDR service marked a significant milestone in Amazon Filters’ cybersecurity journey,” said the IT Manager. “Automation is at the heart of CloudGuard’s Protect Plus MXDR service, which has only strengthened our security posture but also saved us time and resources.”

Over a 90-day period, automated threat enrichment or resolution occurred in 98% of alerts. This resulted in at least a 52-day time saving compared to actioning the same alerts manually. CloudGuard’s responsive post-deployment support has further reinforced Amazon Filters’ confidence in the MXDR service.

“With CloudGuard as our security partner, we feel confident in our ability to navigate the evolving threat landscape and protect our business effectively,” added the IT Manager.

As a foundational component of their future cybersecurity strategy, Amazon Filters sees CloudGuard’s flexibility as key to accommodate their evolving security needs effectively.

Through their partnership with CloudGuard and the adoption of the Protect Plus MXDR service, Amazon Filters has improved its overall security posture and embraced automation as a cornerstone of its security strategy, ensuring continued protection of its digital assets, data, and business operations.

For more information about CloudGuard’s MXDR service, visit CloudGuard’s website or you can read the full case study here.

About CloudGuard

CloudGuard is a leading Managed Security Services Provider (MSSP), offering a range of services to protect organisations against evolving cyber threats. With a focus on proactive threat detection, automated response, and responsive support, CloudGuard helps businesses to navigate the complexities of the digital landscape securely.

The dual ecosystems

Let’s delve into the dichotomy I highlighted in my recent comments—the existence of two distinct ecosystems within cybersecurity. On one side, we confront well-funded entities like Octo Tempest and Scattered Spider. We also have a few nation-state-supported entities receiving over $400 million, as well as ransom money revenue. The ability of these entities to independently propel the creation of AI tools, including quantum computing, raises concerns about how this will challenge IT security, and how global regulations needs to consider guardrails and regulations on their trajectory.

The second ecosystem, in contrast, comprises a diverse array of cybersecurity entities, ranging from innovative startups to established companies dedicated to defending against evolving threats. This ecosystem is characterised by agility, adaptability, innovation, and a commitment to pushing the boundaries of critical thinking.

Unlike the first ecosystem, which is marked by substantial funding from nation-states, this second ecosystem thrives on a combination of ingenuity, collaboration, and a shared commitment to cybersecurity excellence. The effectiveness of nefarious activities and targeting of specific cohorts and industries is escalating considerably. As I discussed, this is unlikely to decline in 2024.

Yet there is a sensitivity to ensuring appropriate but adaptive global collaboration on guardrails and guidelines. The challenge lies in ensuring that AI regulations do not inadvertently stifle the innovation or constrain development pathways. We can learn some really powerful lessons from the hacker mindset in “good enough”, critical process thinking, and silo exploitation to respond more effectively to emerging cyber threats.

The regulatory conundrum

We have observed the global challenges on freedom of speech and data privacy, and how this can reduce our ability to understand and more effectively protect others. The initial question that arises is: to what extent do AI regulations need to influence the capabilities of these well-funded actors?

With geo-political challenges, the likelihood of majority global alignment is unlikely. Without this, how effective will any regulation and protection afforded therefore be? As AI and quantum computing accelerate digital transformations, we need to be ready and prepared for significant evolution at a greater globally collaborative level. This must be supportive of positive innovation and developments yet offer greater levels of nation-backed individual and commercial protections.

The crucial role of international collaboration

Moving forward, I underscore the importance for enhanced international collaboration in tackling cybersecurity challenges, as well as combined commercial and political entities. The interconnected nature of cyber threats demands a consolidated response that transcends national borders. Guardrails at the country level will prove inadequate in the face of cybercriminals who operate seamlessly across borders. Strengthening collaboration needs to be backed by consistent political changes, which are supported by globally-informed policies.

The balancing act of policies in AI regulation

My concern is centred around the potential consequences of more stringent policy implementation that simply is not agile enough. A draconian approach, I argue, will hinder the very innovation and acceleration necessary for effective cybersecurity, AI and quantum computing – and the benefits this will bring.

Striking the right balance is key — regulations must adapt to the dynamic threat landscape without stifling the agility required to combat emerging challenges. Quantum computing technology may need licencing in the same way patents and drug developments are to regulate usage and purpose. AI developments will need increased privacy assurance testing and security validation. There also needs to be greater transparency from the tech companies as the personal data collected and analysed be that directly or indirectly could be acquired or exfiltrated without consent.

Empowering cyber communities

In my opinion, the power lies within cyber communities, governments, and expert cyber agencies. These collective communities, driven by a shared purpose to make the world a better place through collaboration and innovation, can harness the accelerating technologies of AI and large language models to strengthen cybersecurity.

The delicate balance involves enabling these communities to leverage AI while ensuring responsible and ethical use. Ensuring the messaging is understood, continually evolves, and is adopted is a crucial part of future success.

Navigating the tightrope

There has always been a delicate balance between regulatory measures and fostering an environment conducive to innovation in the cybersecurity sector.

AI regulation has taken too long to agree and implement, let alone evolve. This balance is critical in ensuring the ongoing effectiveness of our cybersecurity efforts. Restricting innovation runs the risk of leaving us ill-prepared to face the ever-evolving tactics employed by cybercriminals.

Worst still, it puts businesses and individuals who cannot afford or do not understand how to improve their protection at greater levels of risk.

Innovation as a necessity

Let’s be clear—cybersecurity innovation is not a luxury but an imperative in today’s digital landscape. Our AI-powered cybersecurity solutions, such as the MXDR (Managed Extended Detection and Response), demonstrate the innovation necessary to stay ahead of sophisticated threats. Technology is going to progress much faster, defence mechanisms must evolve in tandem. AI regulation cannot hold that back.

Global unity in cybersecurity

The call for international collaboration is more than a mere suggestion or wishful thinking; it is a fundamental recognition that cybersecurity is a collective responsibility.

There must be concerted, multi-national alignment to reduce weaponisation tactics and activities in the cyber threat landscape. No one entity or nation can stand alone against the rising tide of cyber threats. Collaboration involves not only sharing intelligence but also aligning policies globally to create a unified defence against adversaries. Learn fast. Then adapt policies and regulation from this continual learning. We need to make it part of the fabric of lives to ensure those that are most vulnerable, have access to protection.

The future cyber landscape

Looking ahead, I hope for a future where cybersecurity evolves alongside the advancements in AI and automation. However, this future hinges on the careful calibration of regulatory measures and collaboration. While oversight is necessary, a balanced approach—one that empowers the cybersecurity industry to proactively address and adapt to emerging challenges—is crucial.

My final thoughts on AI regulation

My insights provide a firsthand view of the intricate relationship between AI regulation and cybersecurity innovation. The delicate balance between regulatory measures and fostering innovation is vital to the continued effectiveness of our cybersecurity efforts.

As we navigate the evolving landscape of cyber threats, a consistent, collaborative, and more globally-informed learning approach, coupled with a commitment to innovation, will be crucial in safeguarding our digital futures.

Striking this balance requires a nuanced understanding of the challenges and opportunities that lie at the intersection of AI and cybersecurity—an intersection that defines the future of our industry.

To learn more about AI regulation, and the 2024 threat landscape as a whole, watch my webinar on demand. Here’s a snippet to get you started.

Clearer overview

We’ve overhauled the MXDR platform’s dashboard overview – giving a clearer indication of security across your environment. Tables now have useful axis data to make it easier to track your performance. We’ve also streamlined the colour scheme to make alert severity easier to identify.

More powerful metrics

To make everything more accessible at a glance, we’ve changed some of the key metric tables regarding your environment.

• Alert Closure Reason has been removed, and replaced with Severity of Open Tickets – that’s definitely important to know
• Top 3 Metrics: Shows you the Total Amount of Alerts, and the breakdown of open alerts from Sentinel and M365
• Bottom 3 Metrics: Now shows the impact automation has on your environment, and the amount of devices monitored within Defender for Endpoint

More detailed drilldowns

We understand you want to know about incidents in your environment, so we’ve enriched the drilldown data that’s available for all alerts. This should give you a much clearer picture of what’s happening.  Adding data filtering and search capabilities is our next goal.

New MXDR platform metric: Automation Impact

A powerful new metric to give you an insight into the Guardian App, the impact automation is having on your environment, and your security operations as a whole. See the amount of time we’ve saved with automated threat intelligence, triaging, and resolution. You can also see the total number of tickets we’ve been able to influence with automation.

Monitored assets

It’s now easier than ever to see the assets being monitored in your environment – with helpful metrics to guide you on your risk and security.

Tickets needing your attention

We’ve streamlined the process that enables you to see the tickets that need your attention. Simply click in the dashboard as below and it’ll take you to the ticketing system.

Data consumption

Data consumption is very a important metric when it comes to cybersecurity as it can directly impact your security costs. We’ve updated the visuals and data within the dashboard to make it much clearer to see what drives consumption in your environment.

Data connector drilldown

Each data connector from your environment into Microsoft Sentinel now has a detailed drilldown of data, so you can see what’s happening across multiple vectors. See the number of events and various logs, as well as other helpful metrics. Some data in the below example has been obscured for security.

Health status for connectors

The health of your connectors is paramount when it comes to your security. We’ve made it easy to see with a scroll of a mouse, as you’ll see in the video below. It will give you more information on hover should there by anything to be concerned about.

Custom time range filter

Want to review your security data over a certain time period? That’s now possible with our custom time range filter. Simply click and select the time period you want, and we’ll show you the data. Please note that the availability of historical data is dependent on your log data retention rules within Microsoft Sentinel.

Link to SharePoint

Want to view all your customer documents related to our MXDR service? You can now click within the dashboard to be taken to your private SharePoint environment.

That’s all, folks

And that’s it for now on the new features in our MXDR platform customer dashboard. Our engineers are already working on the next phase of enhancements, and I look forward to sharing the updates with you in the future. Do you have any feature requests or questions? Email me on [email protected].

The principles of supply chain security

For those wishing to understand the first six principles, please see understanding risk and establishing more control.

The next set of 3 principles the NCSC highlights are focused on verifying arrangements. This includes:

• Building assurance activities into the supply chain

Now, this is most commonly established using contractual changes but for well established, trusted suppliers without their own cyber expertise, this can be both a daunting and introduce significant overheads on already stretched businesses.

It introduces new requirements and commitments to upwardly measure and report risks, largely through audits. It commonly introduces assurance measures, usually through certifications like Cyber Essentials Plus (so it is independently audited and tested annually).

For CloudGuard, the overhead of maintaining this internally for smaller businesses is the biggest challenge we see, as well as working with internal audits encouraging and ensuring good security behaviours are adopted and updated.

The “right to audit” where organisations have worked together for years, have a superb understanding of one another and are excellent partners, can introduce a new dynamic in terms of “security requirements”. Very few supply chain partners have the luxury of in-house cyber expertise or the time to add this to the to-do list.

This is where working collaboratively with a cyber partner like CloudGuard can bridge the gap in capabilities and actions. It ensure ownership and responsibilities for additional areas added by security requirements and allows supply chain partners to do what they do best, whilst working towards assured and continually improving supply chain security controls.

Continuous improvement is key

Cyber security is a journey. It is full of evolution, continuous change, and improvement focus based on a destination of reducing supply chain risks and building greater levels of trust. That in turn, reduces risks for all parties working together. It ensure they will continue to do so successfully for many years to come.

The NCSC’s guidance on continuous improvement completes the final principles. In our experience, cybersecurity challenges are more effectively solved faster through sharing issues, ideas and valuing input. A collaborative approach ensures buy-in and the most effective communications across the shared issue of reducing business risks.

The changing nefarious actors seek out intellectual property, customer information, distribution and pricing information, as well as customer data. They care not for your long-established businesses or trading relationships or your passion for producing high quality goods, materials and services. Their motives are primarily to cause as much business disruption and impact through data exfiltration, overriding security controls and demanding ransom payments.

Timing is everything

The basic principles CloudGuard help supply chain partners understand is, that the earlier you can see and understand a security issue, the earlier you can intervene and control the impact.

These can be sophisticated attacks involving long-term reconnaissance to establish how they will infiltrate, exploit and exfiltrate. If so, early detection with the right solutions and expertise will reduce the likelihood of this happening.

Cybersecurity is constantly evolving as are threats. The expertise required to understand these threats and risks to business is best served by working in supply chain partnerships with experts. There are no guarantees, but should the worst happen, this supply chain partnership with an expert partner reduces both the business impact and accelerates recovery. All of this minimises supply chain impact and overall risk.

How to achieve supply chain cyber risk reduction

We need to work collectively to prevent another 18% quarter on quarter increase in ransomware attacks on hard working, stretched supply chain and manufacturing businesses. Let’s make it happen from today. It is why CloudGuard’s created the PROTECT Lite service. It is specifically designed for supply chain businesses of 5 to 50 employees, to help reduce key risks by embedding the above principles and enabling continual improvements.

For more information on our PROTECT Lite service for supply chain partners, please reach out to [email protected] for more information or guidance. Together, we can reduce business risks from cyber disruption from today. Next week I will talk about recent attacks on manufacturing businesses and what we can learn from these to share intelligence and improve cyber security. Thanks for reading.

1. What is Automated Threat Intelligence
2. Key components and benefits
3. Integration into security operations
4. Considerations for implementation
5. CloudGuard and automated threat intelligence

The cybersecurity landscape has seen a marked increase in the sophistication of cyber attacks. Forbes reports 560,000 new pieces of malware are detected every day. Even though phishing remains the most successful and popular method, threat actors are becoming more adept at crafting new tactics, making it challenging for traditional security measures to keep pace. This evolving threat landscape proves the need for automated threat intelligence as a proactive defence against increasingly sophisticated attack methods.

What is Automated Threat Intelligence?

Automated threat intelligence involves the use of advanced tech to collect, analyse, and relay information about potential cyber threats. This process is designed to help organisations identify, assess, and mitigate risks in real-time. Instead of relying solely on manual efforts, automated threat intelligence harnesses the capabilities of artificial intelligence and machine learning to process vast amounts of data rapidly.

Learn more about cybersecurity automation.

Key components and benefits

1. Data Aggregation: Automated threat intelligence platforms often aggregate data from various sources, including open-source feeds, government alerts, and even your organisation’s internal logs. Companies such as Recorded Future specialise in gathering this data. This comprehensive approach ensures that your security teams have access to a wide range of information, increasing the chances of detecting emerging threats.
2. Real-time Analysis: Traditional threat intelligence methods often struggle with the sheer volume of data generated daily. Automated systems can process this information at machine speed, allowing your organisation to respond swiftly to potential threats before they escalate. We’re talking seconds instead of hours.
3. Machine Learning Algorithms: Machine learning algorithms play a pivotal role in automated threat intelligence. These algorithms can identify patterns and anomalies within data, enabling the system to adapt and evolve alongside emerging threats. This adaptability is crucial in an environment where cyber threats are constantly evolving.
4. Customisation: Automated threat intelligence solutions can be tailored to suit your organisation’s specific needs. This customisation ensures that the system focuses on the types of threats most relevant to your industry, making it a targeted and efficient tool for your security operations.

“Enrichment using automated threat intelligence is a great method to reduce the overall time to triage for each alert,” says CloudGuard SOC Analyst Joe Appleby. He continues by saying “by performing checks on the alert’s entities, it allows us analysts to get a better understanding of the alert straight away!”

Integration into security operations

The integration of automated threat intelligence into your security operations can significantly enhance your organisation’s overall cybersecurity posture. Here’s how:

1. Proactive Threat Detection: By continuously monitoring and analysing data, automated threat intelligence systems can identify potential threats before they infiltrate your network. Being proactive is essential for preventing security breaches and minimising the impact of cyberattacks.
2. Reduced Response Time: The real-time nature of automated threat intelligence means that your security teams can respond promptly to identified threats. This reduction in Mean Time to Respond (MTTR) is critical for minimising the potential damage caused by cyber incidents.
3. Resource Optimisation: Automation allows your security analysts to focus on more complex tasks, such as incident response and strategic planning, while routine threat analysis is handled by the system. This optimisation of resources enhances the overall efficiency of your security operations.

I asked SOC Leader, Vaughan Carey, for this thoughts on automated threat intelligence. Here’s what he had to say: “Leveraging top-class threat intelligence to enrich every entity related to an incident allows us to instantly obtain a more informed snapshot of what has occurred within an alert. This enables our SOC to provide much faster response times, thereby reducing the likelihood of a company-wide compromise.”

Considerations for implementation

When considering the adoption of automated threat intelligence, it’s crucial to assess the specific needs and challenges of your organisation. Additionally, ensure that your team is adequately trained to interpret and act upon the insights provided by the system. A well-rounded approach, combining automated tools with human expertise, will yield the best results.

Embracing automated threat intelligence is a strategic move for IT decision makers looking to strengthen their organisation’s security operations. By leveraging the power of artificial intelligence and machine learning, you can stay one step ahead of cyber threats, detect vulnerabilities in real-time, and optimise your resources for a more robust cybersecurity posture.

CloudGuard and automated threat intelligence

CloudGuard’s Managed Extended Detection and Response (MXDR) service has automated threat intelligence built into its core. This means we can rapidly respond to incidents within your environment. In fact, our clever engineers have developed a custom integration that takes Recorded Future’s threat intelligence data and feeds it into Microsoft Sentinel, automatically enriching alerts for human analysts with plenty of helpful context.

This helps to drastically reduce MTTR, and gives security teams more time to focus on strategic tasks. Our SOC Leader says it’s “unlike anything I’ve seen before.” So, join our upcoming webinar to see it for yourself.

Recommendations for Supply Chain Cyber Risk Reduction

My first recommendation is the excellent guidance provided by the NCSC embedded in these 12 principles. The NCSC divides the approach into 4 easy to implement stages of:

1. Understanding the risk
2. Establishing control
3. Checking your arrangements
4. Continuous improvement

We have worked with a lot of manufacturing and distribution businesses in 2023, as there has been a marked increase in nefarious activities in this sector. Our specialist partner, Dragos, recently completed their updated research that confirmed a 18% increase from the previous quarter in attacks. It is complicated by a number of factors, not least many of the affiliates are working closely together and providing aggregated intelligence and resources. Bottomline, cyber and supply chain risks are increasing. Significantly.

Understanding supply chain risk

The NCSC guidance starts with understanding risk, which focuses on:

• Understanding what needs to be protected
• Know your supplier security
• Quantify the security risk posed by your supply chain

The most significant issue with this for many organisations is helping supply chain businesses understand and assess their own security maturity. There are useful approaches available like the NPSA questionnaire, but feedback has been one of poor or inconsistent responses as smaller business of 5 to 50 employees simply do not have time or skills to do this, particularly in the current climate. It is a fair challenge and something we are striving to improve. Without this, understanding the security risks posed by your supply chain can be very difficult. Or, if you take a no response/compliance view, you would rate some of your best suppliers as too high risk to work with. And that doesn’t work for anybody.

How to gain more control over your supply chain cyber risk

The NCSC guidance provides very clear insights into how you should seek to establish more control of your supply chain. This includes but is not limited to:

• Communicating your view of security needs of your suppliers
• Setting minimum security requirements of suppliers
• Building security considerations into your contracting processes

So, by actually doing the first 6 principles together, setting realistic timelines to achieve this e.g. over the next 6 to 12 months, you will be able to reduce risks for both your business and your supplier. It is demonstrating how this can be achieved with minimal impact to all concerned that is most important up front to maximise engagement.

What I’ve tried to do about supply chain risk

Over 12 months ago, Jav and myself met with 2 manufacturing businesses leaders who expressed real concern at the absence of cyber industry solutions to the above problems. We responded by creating CloudGuard’s PROTECT Lite MXDR service. It is specifically designed for supply chain businesses of 5 to 50 employees, to help reduce key risks by embedding the above principles and enabling the NCSC principles I will discuss in my next blog on Supply Chain Cyber Risk Reduction.

What is MXDR? Read more

For more information on our PROTECT Lite MXDR service for supply chain partners, please reach out to [email protected] for more information or guidance. Together, we can reduce business risks from cyber disruption from today. Next week, I will talk about the second 6 principles in more detail. Thanks for reading.

This case study delves into the incident, highlighting the importance of rapid threat detection and automated incident response.

Discovering the threat

CloudGuard’s Protect MXDR service wasted no time in proving its worth. Within days of deployment, it raised the alarm on a serious security incident.

We deploy Microsoft Sentinel as a Security Incident and Event Management (SIEM) solution as part of the service. We unified all the customer’s security data into one place, so that it could be rapidly analysed thanks to its advanced algorithms.

This analysis allows us to detect suspcious patterns of anomalies in data that could be indiciative of an attack in seconds.

In this case, suspicious commands and tasks were cleverly concealed within Base64 encrypted payloads – making detection by traditional means nearly impossible.

Once detected, our SOC (Security Operations Centre) team quickly sprang into action.

Decoding the threat

The SOC team’s expertise was put to the test as they successfully decoded the encrypted payloads.

What they unveiled was chilling: a discreet form of malware had been making recurring attempts to manipulate the registry in the customer’s environment since March 2023.

The threat actors behind this attack were not to be underestimated.

Automated threat enrichment

One of the crucial aspects of threat detection is understanding the adversary. The problem is that this can take a human hours of painstaking research to accomplish. We reduce this process to minutes thanks to automation.

Automated threat enrichment works by continuously gathering and analysing data from various sources, including dark web forums, hacker chatter, and malware databases. This data is then correlated with the indicators of compromise (IOCs) detected in the customer’s environment.

We machine learning algorithms to identify patterns and link them to known threat actors and their tactics, techniques, and procedures (TTPs).

Here, our use of automated threat enrichment meant the malware could be swiftly linked to an attack by notorious threat actors, suspecting Emotet or Gozi to be the threat group.

Europol states: “EMOTET has been one of the most professional and long lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years.”

This attribution provided critical context for the incident response.

Automated incident response is key

Time is of the essence in the world of cybersecurity, and CloudGuard proved its worth once again.

Within just 20 minutes of detecting the threat, CloudGuard’s automated incident response service had not only exposed the malicious command lines but also alerted the customer about the critical incident.

Furthermore, it provided detailed remediation actions, including isolating and rebuilding the affected machine.

Lessons learned

The timeline of this incident is notable. The malware had infiltrated the customer’s environment in March 2023, long before their partnership with CloudGuard began in August. This highlights the importance of continuous monitoring and detection capabilities, as threats may remain dormant for extended periods.

Moreover, the incident proves the value of an integrated MXDR service like CloudGuard’s. Rapid detection, immediate alerting, automated incident response, and actionable remediation guidance proved invaluable in mitigating the threat swiftly.

Ongoing investigation

While the immediate threat was addressed efficiently, the work is far from over.

An ongoing investigation aims to uncover how the malware gained a foothold in the environment and whether any damage was inflicted. The incident underscores the need for proactive threat hunting and post-incident analysis to strengthen defences against future attacks.

The importance of cybersecurity

The CloudGuard Protect MXDR service proved its ability in unearthing a stealthy, long-standing threat within a new customer’s environment. The incident proves the importance of robust threat detection, automated incident response, and continuous monitoring.

As organisations continue to face evolving and sophisticated threats, services like CloudGuard’s MXDR play a crucial role in improving cybersecurity defences. The swift identification and mitigation of this incident demonstrate the value of proactive cybersecurity measures in protecting sensitive data and business continuity.